{"viewCount": 1, "id": "ZERO-DAY-IN-ANDROID-ADMIN-APP-CAN-BYPASS-SANDBOX/114274", "hash": "cfae689ba487f8c6bb97f436879261b7dcd888c3e690b5b3fbcb1dc9e0c54790", "description": "The Android security team at Google is having a busy month. First the [Stagefright vulnerabilities](<https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960>) surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.\n\nThe vulnerability lies in the way that the Google Admin application on Android phones handles some URLs. If another application on the phone sends the Admin app a specific kind of URL an attacker can bypass the Same Origin Policy and get data from the Admin sandbox.\n\n\u201cAn issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,\u201dthe [advisory](<https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/>) from MWR Labs says.\n\nAn attacker can exploit this vulnerability by getting a malicious app on a victim\u2019s phone. MWR Labs notified Google of the vulnerability in March and Google acknowledged the report right away and later said it would have a patch ready by June. But the fix was never pushed out and last week MWR Labs informed Google that it planned to release its advisory, which was published Thursday.\n\nGoogle did not respond to a request for comment on this story. The vulnerability affects the current version of the app, and may affect earlier versions as well.\n\n\u201cThe Google Admin application (com.google.android.apps.enterprise.cpanel), has an exported activity that accepts an extra string called setup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and the setup_url string set to a file url that they can write to, such as file://data/data/com.themalicious.app/worldreadablefile.html,\u201d MWR\u2019s advisory says.\n\n\u201cThe ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.\u201d\n\nMWR says that until a patch is deployed by Google, users with the Google Admin app shouldn\u2019t install any untrusted third party apps, which is good advice for any mobile phone user.", "href": "https://threatpost.com/zero-day-in-android-admin-app-can-bypass-sandbox/114274/", "history": [], "edition": 1, "threatPostCategory": "Mobile Security", "cvelist": [], "references": ["https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960", "https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/"], "modified": "2015-08-14T21:09:27", "cvss": {"score": 0, "vector": "NONE"}, "bulletinFamily": "info", "title": "Android Zero Day in Admin App Can Bypass Sandbox", "objectVersion": "1.2", "reporter": "Dennis Fisher", "lastseen": "2016-09-04T20:52:06", "type": "threatpost", "published": "2015-08-13T13:53:00", "enchantments": {"vulnersScore": 2.6}}